关键字:反汇编、 内核

涉及工具:mkbootimg、 unpackbootimg、 gzip、 readelf、objdump、simg2img、mount、extract-dtb.py、dt、cpio

目录

1、Android bootimg kernel(boot.img)

1.1、内核boot.img-zImage分析

1.2、设备树

1.3、根目录

2、emmc_appsboot.mbn:

3、splash.img:

4、dtbo.img:

5、mdtp.img:

6、vbmeta.img:

7、Linux rev 1.0 ext4 filesystem data(persist.img)

8、Android sparse image(system.img、userdata.img、vendor.img):

9、Super.img :

上篇日志分析可以看到开机流程中需要使用很多分区,这些分区在eMMC中占用不同的空间,其占用信息存储于分区表(GPT)中。高通智能机分区表详细解析_rockly89的博客-CSDN博客_fsc分区里面是比较全的分区描述,android P以后才有的vbmeta用于验证、dtbo是设备树叠加层。下面是dev下block节点读的信息。

这个博客主要研究刷机到底刷进去的是什么。MP镜像不管,只分析android的镜像。查看Android源码编出来的文件。

file . *

boot.img:          Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyMSM0,115200,n8 androidboot.console=ttyMSM0 androidbo)dtbo.img:          dataemmc_appsboot.mbn: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, strippedipsm.img:          Android sparse image, version: 1.0, Total of 393216 4096-byte output blocks in 22 input chunks.license.img:       Android sparse image, version: 1.0, Total of 4096 4096-byte output blocks in 8 input chunks.mdtp.img:          datapersist.img:       Linux rev 1.0 ext4 filesystem data, UUID=d9a6bc78-9d91-4760-9f23-ea9d57708460 (extents) (large files) (huge files)secure.img:        Android sparse image, version: 1.0, Total of 4096 4096-byte output blocks in 8 input chunks.splash.img:        datasystem.img:        Android sparse image, version: 1.0, Total of 688640 4096-byte output blocks in 27 input chunks.userdata.img:      Android sparse image, version: 1.0, Total of 1324921 4096-byte output blocks in 30 input chunks.vbmeta.img:        datavendor.img:        Android sparse image, version: 1.0, Total of 192000 4096-byte output blocks in 17 input chunks.

从上面可以看出
           Android sparse image(稀疏)格式最多,这种格式可以理解文件系统的一种压缩格式,查看需解压。(差分升级如果包括该类镜像,不要用这种格式直接做差分diff)

Linux rev 1.0 ext4 filesystem data,是一种文件系统格式,也是Android sparse image(稀疏)格式的解压,可直接挂载查看。

data,数据类型,该类型实际是未识别的类型,其中splash.img和vbmeta.img未识别,我们后面再分析。(实际电子设备上存储的所有东西都可认为是data)

Android bootimg kernel格式最复杂,主要包含cmdline,设备树,内核,文件系统。由google的andorid源码工具mkbootimg制作,本blog大部分篇幅介绍的是boot.img镜像解析和反汇编。

ELF 32-bit LSB executable,是执行文件类型,其实boot.img镜像中内核可以当作执行文件,为了理解执行文件,将反汇编emmc_appsboot.mbn和boot.img中的内核。

1、Android bootimg kernel(boot.img)

boot.img包含内核,根文件系统,设备树,cmdline。编译使用mkbootimg,解压使用unpackbootimg,GITHUB上不少该工具。

先用unpackbootimg boot.img解压

boot.img:            Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyMSM0,115200,n8 androidboot.console=ttyMSM0 androidbo)
boot.img-base:       ASCII text
boot.img-board:      very short file (no magic)
boot.img-cmdline:    ASCII text, with very long lines
boot.img-dtb:        very short file (no magic)
boot.img-hash:       ASCII text
boot.img-kerneloff:  ASCII text
boot.img-oslevel:    ASCII text
boot.img-osversion:  ASCII text
boot.img-pagesize:   ASCII text
boot.img-ramdisk.gz: gzip compressed data, from Unix
boot.img-ramdiskoff: ASCII text
boot.img-secondoff:  ASCII text
boot.img-tagsoff:    ASCII text
boot.img-zImage:     gzip compressed data, max compression, from Unix

其中内核文件boot.img-zImage,根目录文件boot.img-ramdisk.gz,设备树在内核文件中,recovery的设备树是boot.img-dtb,cmdline是boot.img-cmdline。

1.1、内核boot.img-zImage分析

  • cp boot.img-zImage zImage.gz重命名
  • gzip -d zImage.gz解压

得到的zImage是MS-DOS executable, MZ for MS-DOS格式文件, Beyong Compare对比可以看到zImage就是源码编译出的obj\KERNEL_OBJ\arch\arm64\boot\zImage,它是vmlinux通过编译工具objcopy去掉调试信息后的二进制文件。源码编译时是使用工具mpgen.py。可以访问linux kernel编译产生的vmlinux Image zImage之间的关系_潘振杰的博客-CSDN博客_kernel编译完后只有vmlinux查看kernel怎么生成的。(与android的boot.img稍有不同)

这里要对内核反汇编,相关知识比较弱的建议先看下相关blog并动手尝试,下面两个博客有不少分析可执行文件的工具。

逆向与反汇编工具 - mull - 博客园

ELF文件-逆向工具_ToTHotSpur的博客-CSDN博客_elf 逆向

描述了ELF文件结构。

https://blog.csdn.net/abc_12366/article/details/88205670

执行反汇编命令,解析vmlinux:

readelf -hlSVAI vmlinux(-r/s参数内容多,谨慎使用)

aarch64-linux-androidkernel-objdump -afphG vmlinux (-D/d/S/s/x参数内容太多,谨慎使用)

Linux下利用objdump查看文件空间地址分布 - jrglinux - 博客园

readelf -S vmlinux

ELF Header:Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00Class:                             ELF64Data:                              2's complement, little endianVersion:                           1 (current)OS/ABI:                            UNIX - System VABI Version:                       0Type:                              DYN (Shared object file)Machine:                           AArch64Version:                           0x1Entry point address:               0xffffff8008080000Start of program headers:          64 (bytes into file)Start of section headers:          273510912 (bytes into file)Flags:                             0x0Size of this header:               64 (bytes)Size of program headers:           56 (bytes)Number of program headers:         4Size of section headers:           64 (bytes)Number of section headers:         42Section header string table index: 39Section Headers:[Nr] Name              Type             Address           OffsetSize              EntSize          Flags  Link  Info  Align[ 0]                   NULL             0000000000000000  000000000000000000000000  0000000000000000           0     0     0[ 1] .head.text        PROGBITS         ffffff8008080000  000100000000000000001000  0000000000000000  AX       0     0     4096[ 2] .text             PROGBITS         ffffff8008081000  0001100000000000010c36d8  0000000000000008  AX       0     0     2048[ 3] .rodata           PROGBITS         ffffff8009200000  0110000000000000006afc25  0000000000000000  WA       0     0     1048576[ 4] .eh_frame         PROGBITS         ffffff80098afc28  017afc280000000000000048  0000000000000000   A       0     0     8[ 5] __bug_table       PROGBITS         ffffff80098afc70  017afc7000000000000190e0  0000000000000000   A       0     0     4[ 6] __ksymtab         PROGBITS         ffffff80098c8d50  017c8d500000000000016700  0000000000000000   A       0     0     8[ 7] __ksymtab_gpl     PROGBITS         ffffff80098df450  017df4500000000000010580  0000000000000000   A       0     0     8[ 8] __kcrctab         PROGBITS         ffffff80098ef9d0  017ef9d0000000000000b380  0000000000000000   A       0     0     8[ 9] __kcrctab_gpl     PROGBITS         ffffff80098fad50  017fad5000000000000082c0  0000000000000000   A       0     0     8[10] __ksymtab_strings PROGBITS         ffffff8009903010  01803010000000000002ff08  0000000000000000   A       0     0     1[11] __param           PROGBITS         ffffff8009932f18  01832f180000000000004f60  0000000000000000   A       0     0     8[12] __modver          PROGBITS         ffffff8009937e78  01837e780000000000000188  0000000000000000   A       0     0     8[13] __ex_table        PROGBITS         ffffff8009938000  018380000000000000004c48  0000000000000000   A       0     0     8[14] .notes            NOTE             ffffff800993cc48  0183cc480000000000000024  0000000000000000   A       0     0     4[15] .init.text        PROGBITS         ffffff8009940000  01840000000000000007561c  0000000000000000  AX       0     0     16[16] .exit.text        PROGBITS         ffffff80099b561c  018b561c0000000000006654  0000000000000000  AX       0     0     4[17] .init.data        PROGBITS         ffffff80099bbd00  018bbd000000000000114de8  0000000000000000  WA       0     0     256[18] .data..percpu     PROGBITS         ffffff8009ad1000  019d1000000000000000db28  0000000000000000  WA       0     0     128[19] .altinstructions  PROGBITS         ffffff8009adeb28  019deb28000000000001de8c  0000000000000000   A       0     0     1[20] .altinstr_replace PROGBITS         ffffff8009afc9b4  019fc9b4000000000000a3b8  0000000000000000  AX       0     0     4[21] .rela             RELA             ffffff8009b06d70  01a06d700000000000484d70  0000000000000018   A       0     0     8[22] .data             PROGBITS         ffffff8009f90000  01e900000000000000237e08  0000000000000000  WA       0     0     4096[23] .got.plt          PROGBITS         ffffff800a1c7e08  020c7e080000000000000018  0000000000000008  WA       0     0     8[24] .bss_rtic         PROGBITS         ffffff800a1c8000  020c80000000000000001004  0000000000000000  WA       0     0     4096[25] __clk_of_table_en PROGBITS         ffffff800a1c9008  020c900800000000000000c8  0000000000000000  WA       0     0     8[26] .mmuoff.data.writ PROGBITS         ffffff800a1c9800  020c98000000000000000014  0000000000000000  WA       0     0     2048[27] .mmuoff.data.read PROGBITS         ffffff800a1ca000  020ca0000000000000000008  0000000000000000  WA       0     0     8[28] .pecoff_edata_pad PROGBITS         ffffff800a1ca008  020ca00800000000000001f8  0000000000000000  WA       0     0     1[29] .bss              NOBITS           ffffff800a1cb000  020ca20000000000009b6038  0000000000000000  WA       0     0     4096[30] .comment          PROGBITS         0000000000000000  020ca2000000000000000027  0000000000000001  MS       0     0     1[31] .debug_line       PROGBITS         0000000000000000  020ca2270000000000db311b  0000000000000000           0     0     1[32] .debug_info       PROGBITS         0000000000000000  02e7d342000000000a65870b  0000000000000000           0     0     1[33] .debug_abbrev     PROGBITS         0000000000000000  0d4d5a4d00000000003a8243  0000000000000000           0     0     1[34] .debug_aranges    PROGBITS         0000000000000000  0d87dc9000000000000294e0  0000000000000000           0     0     16[35] .debug_ranges     PROGBITS         0000000000000000  0d8a71700000000000961e50  0000000000000000           0     0     16[36] .debug_frame      PROGBITS         0000000000000000  0e208fc0000000000031e220  0000000000000000           0     0     8[37] .debug_str        PROGBITS         0000000000000000  0e5271e00000000000454737  0000000000000001  MS       0     0     1[38] .debug_loc        PROGBITS         0000000000000000  0e97b9170000000001403166  0000000000000000           0     0     1[39] .shstrtab         STRTAB           0000000000000000  104d702100000000000001da  0000000000000000           0     0     1[40] .symtab           SYMTAB           0000000000000000  0fd7ea800000000000473820  0000000000000018          41   159880     8[41] .strtab           STRTAB           0000000000000000  101f22a000000000002e4d81  0000000000000000           0     0     1Key to Flags:W (write), A (alloc), X (execute), M (merge), S (strings)I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)O (extra OS processing required) o (OS specific), p (processor specific)Program Headers:Type           Offset             VirtAddr           PhysAddrFileSiz            MemSiz              Flags  AlignLOAD           0x0000000000010000 0xffffff8008080000 0xffffff80080800000x00000000010c46d8 0x00000000010c46d8  R E    10000LOAD           0x0000000001100000 0xffffff8009200000 0xffffff80092000000x0000000000fca200 0x0000000001981038  RWE    10000NOTE           0x000000000183cc48 0xffffff800993cc48 0xffffff800993cc480x0000000000000024 0x0000000000000024  R      4GNU_STACK      0x0000000000000000 0x0000000000000000 0x00000000000000000x0000000000000000 0x0000000000000000  RW     10Section to Segment mapping:Segment Sections...00     .head.text .text01     .rodata .eh_frame __bug_table __ksymtab __ksymtab_gpl __kcrctab __kcrctab_gpl __ksymtab_strings __param __modver __ex_table .notes .init.text .exit.text .init.data .data..percpu .altinstructions .altinstr_replacement .rela .data .got.plt .bss_rtic __clk_of_table_end .mmuoff.data.write .mmuoff.data.read .pecoff_edata_padding .bss02     .notes03    No version information found in this file.

aarch64-linux-androidkernel-objdump -afp vmlinux

vmlinux:     file format elf64-littleaarch64vmlinuxarchitecture: aarch64, flags 0x00000150:HAS_SYMS, DYNAMIC, D_PAGEDstart address 0xffffff8008080000Program Header:LOAD off    0x0000000000010000 vaddr 0xffffff8008080000 paddr 0xffffff8008080000 align 2**16filesz 0x00000000010c46d8 memsz 0x00000000010c46d8 flags r-xLOAD off    0x0000000001100000 vaddr 0xffffff8009200000 paddr 0xffffff8009200000 align 2**16filesz 0x0000000000fca200 memsz 0x0000000001981038 flags rwxNOTE off    0x000000000183cc48 vaddr 0xffffff800993cc48 paddr 0xffffff800993cc48 align 2**2filesz 0x0000000000000024 memsz 0x0000000000000024 flags r--STACK off    0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-private flags = 0:Sections:Idx Name          Size      VMA               LMA               File off  Algn0 .head.text    00001000  ffffff8008080000  ffffff8008080000  00010000  2**12CONTENTS, ALLOC, LOAD, READONLY, CODE1 .text         010c36d8  ffffff8008081000  ffffff8008081000  00011000  2**11CONTENTS, ALLOC, LOAD, READONLY, CODE2 .rodata       006afc25  ffffff8009200000  ffffff8009200000  01100000  2**20CONTENTS, ALLOC, LOAD, DATA3 .eh_frame     00000048  ffffff80098afc28  ffffff80098afc28  017afc28  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA4 __bug_table   000190e0  ffffff80098afc70  ffffff80098afc70  017afc70  2**2CONTENTS, ALLOC, LOAD, READONLY, DATA5 __ksymtab     00016700  ffffff80098c8d50  ffffff80098c8d50  017c8d50  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA6 __ksymtab_gpl 00010580  ffffff80098df450  ffffff80098df450  017df450  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA7 __kcrctab     0000b380  ffffff80098ef9d0  ffffff80098ef9d0  017ef9d0  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA8 __kcrctab_gpl 000082c0  ffffff80098fad50  ffffff80098fad50  017fad50  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA9 __ksymtab_strings 0002ff08  ffffff8009903010  ffffff8009903010  01803010  2**0CONTENTS, ALLOC, LOAD, READONLY, DATA10 __param       00004f60  ffffff8009932f18  ffffff8009932f18  01832f18  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA11 __modver      00000188  ffffff8009937e78  ffffff8009937e78  01837e78  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA12 __ex_table    00004c48  ffffff8009938000  ffffff8009938000  01838000  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA13 .notes        00000024  ffffff800993cc48  ffffff800993cc48  0183cc48  2**2CONTENTS, ALLOC, LOAD, READONLY, DATA14 .init.text    0007561c  ffffff8009940000  ffffff8009940000  01840000  2**4CONTENTS, ALLOC, LOAD, READONLY, CODE15 .exit.text    00006654  ffffff80099b561c  ffffff80099b561c  018b561c  2**2CONTENTS, ALLOC, LOAD, READONLY, CODE16 .init.data    00114de8  ffffff80099bbd00  ffffff80099bbd00  018bbd00  2**8CONTENTS, ALLOC, LOAD, DATA17 .data..percpu 0000db28  ffffff8009ad1000  ffffff8009ad1000  019d1000  2**7CONTENTS, ALLOC, LOAD, DATA18 .altinstructions 0001de8c  ffffff8009adeb28  ffffff8009adeb28  019deb28  2**0CONTENTS, ALLOC, LOAD, READONLY, DATA19 .altinstr_replacement 0000a3b8  ffffff8009afc9b4  ffffff8009afc9b4  019fc9b4  2**2CONTENTS, ALLOC, LOAD, READONLY, CODE20 .rela         00484d70  ffffff8009b06d70  ffffff8009b06d70  01a06d70  2**3CONTENTS, ALLOC, LOAD, READONLY, DATA21 .data         00237e08  ffffff8009f90000  ffffff8009f90000  01e90000  2**12CONTENTS, ALLOC, LOAD, DATA22 .got.plt      00000018  ffffff800a1c7e08  ffffff800a1c7e08  020c7e08  2**3CONTENTS, ALLOC, LOAD, DATA23 .bss_rtic     00001004  ffffff800a1c8000  ffffff800a1c8000  020c8000  2**12CONTENTS, ALLOC, LOAD, DATA24 __clk_of_table_end 000000c8  ffffff800a1c9008  ffffff800a1c9008  020c9008  2**3CONTENTS, ALLOC, LOAD, DATA25 .mmuoff.data.write 00000014  ffffff800a1c9800  ffffff800a1c9800  020c9800  2**11CONTENTS, ALLOC, LOAD, DATA26 .mmuoff.data.read 00000008  ffffff800a1ca000  ffffff800a1ca000  020ca000  2**3CONTENTS, ALLOC, LOAD, DATA27 .pecoff_edata_padding 000001f8  ffffff800a1ca008  ffffff800a1ca008  020ca008  2**0CONTENTS, ALLOC, LOAD, DATA28 .bss          009b6038  ffffff800a1cb000  ffffff800a1cb000  020ca200  2**12ALLOC29 .comment      00000027  0000000000000000  0000000000000000  020ca200  2**0CONTENTS, READONLY30 .debug_line   00db311b  0000000000000000  0000000000000000  020ca227  2**0CONTENTS, READONLY, DEBUGGING31 .debug_info   0a65870b  0000000000000000  0000000000000000  02e7d342  2**0CONTENTS, READONLY, DEBUGGING32 .debug_abbrev 003a8243  0000000000000000  0000000000000000  0d4d5a4d  2**0CONTENTS, READONLY, DEBUGGING33 .debug_aranges 000294e0  0000000000000000  0000000000000000  0d87dc90  2**4CONTENTS, READONLY, DEBUGGING34 .debug_ranges 00961e50  0000000000000000  0000000000000000  0d8a7170  2**4CONTENTS, READONLY, DEBUGGING35 .debug_frame  0031e220  0000000000000000  0000000000000000  0e208fc0  2**3CONTENTS, READONLY, DEBUGGING36 .debug_str    00454737  0000000000000000  0000000000000000  0e5271e0  2**0CONTENTS, READONLY, DEBUGGING37 .debug_loc    01403166  0000000000000000  0000000000000000  0e97b917  2**0CONTENTS, READONLY, DEBUGGING

内容结构可以访问https://blog.csdn.net/abc_12366/article/details/88205670,为直观体现执行文件里面数据的意义,先找入口函数start_kernel()位置,下面博客有两种方法反汇编指定函数。

Linux下反汇编指定的函数_zuxi的博客-CSDN博客

kernel入口函数start_kernel()反汇编如下,可以对比源码中kernel/init/main.c的start_kernel()中内容。

nm -n vmlinux |grep -A1 "start_kernel"

ffffff8008095378 T secondary_start_kernelffffff8008095594 T __cpu_disable--ffffff80099408a8 T start_kernelffffff8009940cb4 t kernel_init_freeable

aarch64-linux-androidkernel-objdump -d vmlinux --start-address=0xffffff80099408a8 --stop-address=0xffffff8009940cb4

vmlinux:     file format elf64-littleaarch64Disassembly of section .init.text:ffffff80099408a8 <start_kernel>:ffffff80099408a8:     a9b97bfd      stp      x29, x30, [sp,#-112]!ffffff80099408ac:     f0003380      adrp   x0, ffffff8009fb3000 <argv_init>ffffff80099408b0:    910003fd      mov    x29, spffffff80099408b4:    a90363f7      stp      x23, x24, [sp,#48]ffffff80099408b8:    f00032f8       adrp   x24, ffffff8009f9f000 <xt_connlimit_locks+0xc00>ffffff80099408bc:     91120000     add     x0, x0, #0x480ffffff80099408c0:     a90153f3      stp      x19, x20, [sp,#16]ffffff80099408c4:     a9025bf5      stp      x21, x22, [sp,#32]ffffff80099408c8:     f9460701      ldr       x1, [x24,#3080]ffffff80099408cc:     f90037a1      str       x1, [x29,#104]ffffff80099408d0:    f90023f9       str       x25, [sp,#64]ffffff80099408d4:    979dc255     bl        ffffff80080b1228 <set_task_stack_end_magic>ffffff80099408d8:    94000dc7     bl        ffffff8009943ff4 <smp_setup_processor_id>ffffff80099408dc:     9400d951     bl        ffffff8009976e20 <debug_objects_early_init>ffffff80099408e0:     9400637a     bl        ffffff80099596c8 <cgroup_init_early>ffffff80099408e4:     d50342df      msr     daifset, #0x2ffffff80099408e8:     f00032f6       adrp   x22, ffffff8009f9f000 <xt_connlimit_locks+0xc00>ffffff80099408ec:     97a1e434     bl        ffffff80081b99bc <trace_hardirqs_off>ffffff80099408f0:     52800020     mov    w0, #0x1                       // #1ffffff80099408f4:     f00003d4     adrp   x20, ffffff80099bb000 <masquerade_tg_exit+0x10>ffffff80099408f8:     91340294     add     x20, x20, #0xd00ffffff80099408fc:      d0004475     adrp   x21, ffffff800a1ce000 <reset_devices>ffffff8009940900:    393002c0     strb     w0, [x22,#3072]ffffff8009940904:    94003b72     bl        ffffff800994f6cc <boot_cpu_init>ffffff8009940908:    90ffc601       adrp   x1, ffffff8009200000 <__start_rodata>ffffff800994090c:     90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940910:    91026021     add     x1, x1, #0x98ffffff8009940914:    910fc000      add     x0, x0, #0x3f0ffffff8009940918:    9120e294     add     x20, x20, #0x838ffffff800994091c:     910002b7     add     x23, x21, #0x0ffffff8009940920:    97a2c471     bl        ffffff80081f1ae4 <printk>ffffff8009940924:    aa1803f3      mov    x19, x24ffffff8009940928:    910163a0     add     x0, x29, #0x58ffffff800994092c:     94000dc7     bl        ffffff8009944048 <setup_arch>ffffff8009940930:    52800101     mov    w1, #0x8                       // #8ffffff8009940934:    910183a0     add     x0, x29, #0x60ffffff8009940938:    97b63acb     bl        ffffff80086cf464 <get_random_bytes>ffffff800994093c:     f94033a1      ldr       x1, [x29,#96]ffffff8009940940:    d2812e00     mov    x0, #0x970                      // #2416ffffff8009940944:    f2a00080      movk  x0, #0x4, lsl #16ffffff8009940948:    ca000020      eor      x0, x1, x0ffffff800994094c:     9278dc01     and     x1, x0, #0xffffffffffffff00ffffff8009940950:    f9060701      str       x1, [x24,#3080]ffffff8009940954:    d5384102     mrs     x2, sp_el0ffffff8009940958:    f9034441      str       x1, [x2,#1672]ffffff800994095c:     f0003501      adrp   x1, ffffff8009fe3000 <vmpressure_notifier+0x20>ffffff8009940960:    aa1403e0     mov    x0, x20ffffff8009940964:    f9019c3f       str       xzr, [x1,#824]ffffff8009940968:    97ad261e     bl        ffffff800848a1e0 <__efistub_strlen>ffffff800994096c:     d2800001     mov    x1, #0x0                        // #0ffffff8009940970:    d2800002     mov    x2, #0x0                        // #0ffffff8009940974:    d2800003     mov    x3, #0x0                        // #0ffffff8009940978:    12800004     mov    w4, #0xffffffff                      // #-1ffffff800994097c:     91000400     add     x0, x0, #0x1ffffff8009940980:    f9402fb8       ldr       x24, [x29,#88]ffffff8009940984:    94009058     bl        ffffff8009964ae4 <memblock_virt_alloc_try_nid>ffffff8009940988:    f90016e0      str       x0, [x23,#40]ffffff800994098c:     aa1403e0     mov    x0, x20ffffff8009940990:    97ad2614     bl        ffffff800848a1e0 <__efistub_strlen>ffffff8009940994:    91000400     add     x0, x0, #0x1ffffff8009940998:    d2800001     mov    x1, #0x0                        // #0ffffff800994099c:     d2800002     mov    x2, #0x0                        // #0ffffff80099409a0:     d2800003     mov    x3, #0x0                        // #0ffffff80099409a4:     12800004     mov    w4, #0xffffffff                      // #-1ffffff80099409a8:     9400904f      bl        ffffff8009964ae4 <memblock_virt_alloc_try_nid>ffffff80099409ac:     f9001ae0      str       x0, [x23,#48]ffffff80099409b0:    aa1803e0     mov    x0, x24ffffff80099409b4:    97ad260b     bl        ffffff800848a1e0 <__efistub_strlen>ffffff80099409b8:    91000400     add     x0, x0, #0x1ffffff80099409bc:     d2800002     mov    x2, #0x0                        // #0ffffff80099409c0:     d2800003     mov    x3, #0x0                        // #0ffffff80099409c4:     12800004     mov    w4, #0xffffffff                      // #-1ffffff80099409c8:     d2800001     mov    x1, #0x0                        // #0ffffff80099409cc:     94009046     bl        ffffff8009964ae4 <memblock_virt_alloc_try_nid>ffffff80099409d0:    aa0003f9      mov    x25, x0ffffff80099409d4:    f94016e0      ldr       x0, [x23,#40]ffffff80099409d8:    aa1403e1     mov    x1, x20ffffff80099409dc:     f9001ef9      str       x25, [x23,#56]ffffff80099409e0:     97ad5468     bl        ffffff8008495b80 <strcpy>ffffff80099409e4:     aa1803e1     mov    x1, x24ffffff80099409e8:     aa1903e0     mov    x0, x25ffffff80099409ec:     97ad5465     bl        ffffff8008495b80 <strcpy>ffffff80099409f0:     940060c6     bl        ffffff8009958d08 <setup_nr_cpu_ids>ffffff80099409f4:     940083bf     bl        ffffff80099618f0 <setup_per_cpu_areas>ffffff80099409f8:     94003b4d     bl        ffffff800994f72c <boot_cpu_state_init>ffffff80099409fc:      9400128d     bl        ffffff8009945430 <smp_prepare_boot_cpu>ffffff8009940a00:     d2800000     mov    x0, #0x0                        // #0ffffff8009940a04:     d2800001     mov    x1, #0x0                        // #0ffffff8009940a08:     97dfce2e       bl        ffffff80091342c0 <build_all_zonelists>ffffff8009940a0c:     940079c0     bl        ffffff800995f10c <page_alloc_init>ffffff8009940a10:     90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940a14:     aa1403e1     mov    x1, x20ffffff8009940a18:     910fe000      add     x0, x0, #0x3f8ffffff8009940a1c:     97a2c432     bl        ffffff80081f1ae4 <printk>ffffff8009940a20:     97ffff84         bl        ffffff8009940830 <parse_early_param>ffffff8009940a24:     d0ffff82        adrp   x2, ffffff8009932000 <__kstrtab_sctp_for_each_endpoint+0x2>ffffff8009940a28:     f0ffffa3          adrp   x3, ffffff8009937000 <__param_debug_mask+0x10>ffffff8009940a2c:     913c6042     add     x2, x2, #0xf18ffffff8009940a30:     9139e063     add     x3, x3, #0xe78ffffff8009940a34:     cb020063     sub     x3, x3, x2ffffff8009940a38:     b202e7e0     mov    x0, #0xcccccccccccccccc              // #-3689348814741910324ffffff8009940a3c:     9343fc63      asr      x3, x3, #3ffffff8009940a40:     12800004     mov    w4, #0xffffffff                      // #-1ffffff8009940a44:     f9401ee1      ldr       x1, [x23,#56]ffffff8009940a48:     90000007     adrp   x7, ffffff8009940000 <stext>ffffff8009940a4c:     1b030c03     madd  w3, w0, w3, w3ffffff8009940a50:     90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940a54:     2a0403e5     mov    w5, w4ffffff8009940a58:     91106000     add     x0, x0, #0x418ffffff8009940a5c:     d2800006     mov    x6, #0x0                        // #0ffffff8009940a60:     911520e7     add     x7, x7, #0x548ffffff8009940a64:     979e7f22      bl        ffffff80080e06ec <parse_args>ffffff8009940a68:     aa0003e1     mov    x1, x0ffffff8009940a6c:     b4000060     cbz      x0, ffffff8009940a78 <start_kernel+0x1d0>ffffff8009940a70:     b140041f     cmn    x0, #0x1, lsl #12ffffff8009940a74:     54000fe9      b.ls      ffffff8009940c70 <start_kernel+0x3c8>ffffff8009940a78:     913002c1     add     x1, x22, #0xc00ffffff8009940a7c:     52800022     mov    w2, #0x1                       // #1ffffff8009940a80:     52800000     mov    w0, #0x0                       // #0ffffff8009940a84:     39000422     strb     w2, [x1,#1]ffffff8009940a88:     940055ce      bl        ffffff80099561c0 <setup_log_buf>ffffff8009940a8c:     94003f3b     bl        ffffff8009950778 <pidhash_init>ffffff8009940a90:     94009ce4     bl        ffffff8009967e20 <vfs_caches_init_early>ffffff8009940a94:     94003f98      bl        ffffff80099508f4 <sort_main_extable>ffffff8009940a98:     94000f39      bl        ffffff800994477c <trap_init>ffffff8009940a9c:     94001b11     bl        ffffff80099476e0 <mem_init>ffffff8009940aa0:     940093c9     bl        ffffff80099659c4 <kmem_cache_init>ffffff8009940aa4:     940083c2     bl        ffffff80099619ac <percpu_init_late>ffffff8009940aa8:     94008a80     bl        ffffff80099634a8 <ptlock_cache_init>ffffff8009940aac:     94001bd1     bl        ffffff80099479f0 <pgd_cache_init>ffffff8009940ab0:     94008b2b     bl        ffffff800996375c <vmalloc_init>ffffff8009940ab4:     9400d7da     bl        ffffff8009976a1c <ioremap_huge_init>ffffff8009940ab8:     940050bd     bl        ffffff8009954dac <sched_init>ffffff8009940abc:     52800020     mov    w0, #0x1                       // #1ffffff8009940ac0:     979ec496     bl        ffffff80080f1d18 <preempt_count_add>ffffff8009940ac4:     d53b4220     mrs     x0, daifffffff8009940ac8:     373800e0     tbnz    w0, #7, ffffff8009940ae4 <start_kernel+0x23c>ffffff8009940acc:     90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940ad0:     9110a000     add     x0, x0, #0x428ffffff8009940ad4:     97a2c404     bl        ffffff80081f1ae4 <printk>ffffff8009940ad8:     d4210000     brk      #0x800ffffff8009940adc:     d50342df      msr     daifset, #0x2ffffff8009940ae0:     97a1e3b7     bl        ffffff80081b99bc <trace_hardirqs_off>ffffff8009940ae4:     9400d7bc     bl        ffffff80099769d4 <idr_init_cache>ffffff8009940ae8:     940058c2     bl        ffffff8009956df0 <rcu_init>ffffff8009940aec:     940069ff       bl        ffffff800995b2e8 <trace_init>ffffff8009940af0:     9400d7e7     bl        ffffff8009976a8c <radix_tree_init>ffffff8009940af4:     940056bc     bl        ffffff80099565e4 <early_irq_init>ffffff8009940af8:     94000ca3      bl        ffffff8009943d84 <init_IRQ>ffffff8009940afc:      94005ecb     bl        ffffff8009958628 <tick_init>ffffff8009940b00:    94005965     bl        ffffff8009957094 <rcu_init_nohz>ffffff8009940b04:    94005b64     bl        ffffff8009957894 <init_timers>ffffff8009940b08:    94005bb9     bl        ffffff80099579ec <hrtimers_init>ffffff8009940b0c:     94003b6b     bl        ffffff800994f8b8 <softirq_init>ffffff8009940b10:    94005ccb      bl        ffffff8009957e3c <timekeeping_init>ffffff8009940b14:    94000eeb     bl        ffffff80099446c0 <time_init>ffffff8009940b18:    94005f75      bl        ffffff80099588ec <sched_clock_postinit>ffffff8009940b1c:     940075d5     bl        ffffff800995e270 <perf_event_init>ffffff8009940b20:    97dfcdbb      bl        ffffff800913420c <profile_init>ffffff8009940b24:    9400603f      bl        ffffff8009958c20 <call_function_init>ffffff8009940b28:    d53b4220     mrs     x0, daifffffff8009940b2c:     373800a0     tbnz    w0, #7, ffffff8009940b40 <start_kernel+0x298>ffffff8009940b30:    90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940b34:    91118000     add     x0, x0, #0x460ffffff8009940b38:    97a2c3eb      bl        ffffff80081f1ae4 <printk>ffffff8009940b3c:     d4210000     brk      #0x800ffffff8009940b40:    393002df     strb     wzr, [x22,#3072]ffffff8009940b44:    97a1e654     bl        ffffff80081ba494 <trace_hardirqs_on>ffffff8009940b48:    d50342ff       msr     daifclr, #0x2ffffff8009940b4c:     910002b5     add     x21, x21, #0x0ffffff8009940b50:    940093e7     bl        ffffff8009965aec <kmem_cache_init_late>ffffff8009940b54:    9400ff6c       bl        ffffff8009980904 <console_init>ffffff8009940b58:    f9400ea1      ldr       x1, [x21,#24]ffffff8009940b5c:     b40000a1     cbz      x1, ffffff8009940b70 <start_kernel+0x2c8>ffffff8009940b60:    90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940b64:    f94012a2      ldr       x2, [x21,#32]ffffff8009940b68:    91120000     add     x0, x0, #0x480ffffff8009940b6c:     97a2c21d     bl        ffffff80081f13e0 <panic>ffffff8009940b70:    d0004474     adrp   x20, ffffff800a1ce000 <reset_devices>ffffff8009940b74:    f9404281      ldr       x1, [x20,#128]ffffff8009940b78:    b4000301     cbz      x1, ffffff8009940bd8 <start_kernel+0x330>ffffff8009940b7c:     d0004460     adrp   x0, ffffff800a1ce000 <reset_devices>ffffff8009940b80:    b9407400     ldr       w0, [x0,#116]ffffff8009940b84:    350002a0     cbnz    w0, ffffff8009940bd8 <start_kernel+0x330>ffffff8009940b88:    90fffb22        adrp   x2, ffffff80098a4000 <kallsyms_token_index+0x27c000>ffffff8009940b8c:     d34c9421     ubfx    x1, x1, #12, #26ffffff8009940b90:    d2dff7e0       mov    x0, #0xffbf00000000               // #281195803836416ffffff8009940b94:    aa0003e4     mov    x4, x0ffffff8009940b98:    f2ffffe0          movk  x0, #0xffff, lsl #48ffffff8009940b9c:     f9418843      ldr       x3, [x2,#784]ffffff8009940ba0:     aa011800     orr      x0, x0, x1, lsl #6ffffff8009940ba4:     f00045e1      adrp   x1, ffffff800a1ff000 <vm_committed_as>ffffff8009940ba8:     f2ffffe4          movk  x4, #0xffff, lsl #48ffffff8009940bac:     934cfc63       asr      x3, x3, #12ffffff8009940bb0:    f9417c22      ldr       x2, [x1,#760]ffffff8009940bb4:    cb031881     sub     x1, x4, x3, lsl #6ffffff8009940bb8:    cb010001     sub     x1, x0, x1ffffff8009940bbc:     9346fc21      asr      x1, x1, #6ffffff8009940bc0:     eb02003f     cmp    x1, x2ffffff8009940bc4:     540000a2     b.cs     ffffff8009940bd8 <start_kernel+0x330>ffffff8009940bc8:     90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940bcc:     91128000     add     x0, x0, #0x4a0ffffff8009940bd0:    97a2c3c5      bl        ffffff80081f1ae4 <printk>ffffff8009940bd4:    f900429f       str       xzr, [x20,#128]ffffff8009940bd8:    94009abe     bl        ffffff80099676d0 <page_ext_init>ffffff8009940bdc:     9400d8bc     bl        ffffff8009976ecc <debug_objects_mem_init>ffffff8009940be0:    94009572     bl        ffffff80099661a8 <kmemleak_init>ffffff8009940be4:    9400784f      bl        ffffff800995ed20 <setup_per_cpu_pageset>ffffff8009940be8:    900003e0     adrp   x0, ffffff80099bc000 <tmp_cmdline.49267+0x2c8>ffffff8009940bec:     f9469c00      ldr       x0, [x0,#3384]ffffff8009940bf0:     b4000040     cbz      x0, ffffff8009940bf8 <start_kernel+0x350>ffffff8009940bf4:     d63f0000     blr       x0ffffff8009940bf8:     979ef6fc       bl        ffffff80080fe7e8 <sched_clock_init>ffffff8009940bfc:      979d100e     bl        ffffff8008084c34 <calibrate_delay>ffffff8009940c00:     94003eff       bl        ffffff80099507fc <pidmap_init>ffffff8009940c04:     94008a5b     bl        ffffff8009963570 <anon_vma_init>ffffff8009940c08:     97ffff27         bl        ffffff80099408a4 <thread_stack_cache_init>ffffff8009940c0c:     94004043     bl        ffffff8009950d18 <cred_init>ffffff8009940c10:     9400387c      bl        ffffff800994ee00 <fork_init>ffffff8009940c14:     940038b7     bl        ffffff800994eef0 <proc_caches_init>ffffff8009940c18:     9400a241     bl        ffffff800996951c <buffer_init>ffffff8009940c1c:     9400caf5      bl        ffffff80099737f0 <key_init>ffffff8009940c20:     9400cb70     bl        ffffff80099739e0 <security_init>ffffff8009940c24:     94009ca1      bl        ffffff8009967ea8 <vfs_caches_init>ffffff8009940c28:     94003d43     bl        ffffff8009950134 <signals_init>ffffff8009940c2c:     940079d0     bl        ffffff800995f36c <page_writeback_init>ffffff8009940c30:     9400a67e     bl        ffffff800996a628 <proc_root_init>ffffff8009940c34:     9400a227     bl        ffffff80099694d0 <nsfs_init>ffffff8009940c38:     94006416     bl        ffffff8009959c90 <cpuset_init>ffffff8009940c3c:     940062f3      bl        ffffff8009959808 <cgroup_init>ffffff8009940c40:     94006629     bl        ffffff800995a4e4 <taskstats_init_early>ffffff8009940c44:     97a16c44     bl        ffffff800819bd54 <delayacct_init>ffffff8009940c48:     f0003320      adrp   x0, ffffff8009fa7000 <ehci_platform_hc_driver+0xe8>ffffff8009940c4c:     910f8000      add     x0, x0, #0x3e0ffffff8009940c50:     f940a000      ldr       x0, [x0,#320]ffffff8009940c54:     9400673f      bl        ffffff800995a950 <ftrace_init>ffffff8009940c58:     97dfca03      bl        ffffff8009133464 <rest_init>ffffff8009940c5c:     f94037a1      ldr       x1, [x29,#104]ffffff8009940c60:     f9460660      ldr       x0, [x19,#3080]ffffff8009940c64:     eb00003f     cmp    x1, x0ffffff8009940c68:     540001a0     b.eq    ffffff8009940c9c <start_kernel+0x3f4>ffffff8009940c6c:     979dcee3      bl        ffffff80080b47f8 <__stack_chk_fail>ffffff8009940c70:     12800004     mov    w4, #0xffffffff                      // #-1ffffff8009940c74:     90ffe740       adrp   x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940c78:     90000007     adrp   x7, ffffff8009940000 <stext>ffffff8009940c7c:     d2800002     mov    x2, #0x0                        // #0ffffff8009940c80:     52800003     mov    w3, #0x0                       // #0ffffff8009940c84:     2a0403e5     mov    w5, w4ffffff8009940c88:     d2800006     mov    x6, #0x0                        // #0ffffff8009940c8c:     911c80e7     add     x7, x7, #0x720ffffff8009940c90:     91138000     add     x0, x0, #0x4e0ffffff8009940c94:     979e7e96     bl        ffffff80080e06ec <parse_args>ffffff8009940c98:     17ffff78         b         ffffff8009940a78 <start_kernel+0x1d0>ffffff8009940c9c:     a94153f3      ldp      x19, x20, [sp,#16]ffffff8009940ca0:     a9425bf5      ldp      x21, x22, [sp,#32]ffffff8009940ca4:     a94363f7      ldp      x23, x24, [sp,#48]ffffff8009940ca8:     f94023f9       ldr       x25, [sp,#64]ffffff8009940cac:     a8c77bfd      ldp      x29, x30, [sp],#112ffffff8009940cb0:     d65f03c0      ret

真实数据位置偏移根据前面信息计算(NOTE off    0x000000000183cc48 vaddr 0xffffff800993cc48)

0x18408a8=0x99408a8-0x0x8100000

可以使用hexdump以16进制读取可执行文件,对比反汇编的机器码。

hexdump -s 0x18408a8 -n 1024 vmlinux

18408a8 7bfd a9b9 3380 f000 03fd 9100 63f7 a90318408b8 32f8 f000 0000 9112 53f3 a901 5bf5 a90218408c8 0701 f946 37a1 f900 23f9 f900 c255 979d18408d8 0dc7 9400 d951 9400 637a 9400 42df d50318408e8 32f6 f000 e434 97a1 0020 5280 03d4 f00018408f8 0294 9134 4475 d000 02c0 3930 3b72 94001840908 c601 90ff e740 90ff 6021 9102 c000 910f1840918 e294 9120 02b7 9100 c471 97a2 03f3 aa181840928 63a0 9101 0dc7 9400 0101 5280 83a0 91011840938 3acb 97b6 33a1 f940 2e00 d281 0080 f2a0

这里以反汇编方式找到boot.img中内核入口start_kernel代码的反汇编机器码位置,高手可以编辑它,重新打包,关掉相关安全验证(Verify Boot,DM-verity,回滚保护)刷到设备中。汇编是比较老的语言,但是是离机器最近的语言,玩软件破解和加密应该熟悉。就算不玩破解,知道点反汇编对于代码和程序的理解也会不同。下面是随便找的一个破解例子

Linux下使用objdump+vim+xxd进行反汇编并修改指令

1.2、设备树

unpackbootimg没看到设备树,对比编译出的Image.gz-dtb与Image.gz可以知道,mkbootimg把Image.gz-dtb(设备树)作为kernel制作boot.img的,设备树还在内核解包的zImage中。要获取设备树需要读取其中信息才可分离出来。GITHUB有从内核中解压设备树工具https://github.com/PabloCastellano/extract-dtb

python3 extract-dtb.py kernel

Dumped 00_kernel, start=0 end=12116314Dumped 01_dtbdump_***.dtb, start=12116314 end=12393371Dumped 02_dtbdump_xK`)+-;pw_qK.dtb, start=12393371 end=12393544Extracted 2 appended dtbs + kernel to dtb

dtc -O dts 01_dtbdump_***.dtb -o test0.dts

可以用dtc来分析源码编译出的设备树obj\KERNEL_OBJ\arch\arm64\boot\dts\***.dtb。

dtc -I dtb -O dts obj\KERNEL_OBJ\arch\arm64\boot\dts\***.dtb -o test1.dts

转换成dts格式后,文本编辑器可以直接读。也可比较boot.img解包出的dts、编译的dts两个文件,验证是否一致。

1.3、根目录

  • gzip -d boot.img-ramdisk.gz解压缩。
  • cpio -i -F boot.img-ramdisk解包。

这样就看到根目录。

内核调试可以使用fastboot boot boot.img命令,boot.img不刷入分区,直接载入ram运行。还可以使用下面参数设置,同时注意下设备安全限制(AVB,防回滚)。

fastboot -h

-c <cmdline>                             Override kernel commandline.-b, --base <base_addr>                   Specify a custom kernel baseaddress (default: 0x10000000).--kernel-offset                          Specify a custom kernel offset.(default: 0x00008000)--ramdisk-offset                         Specify a custom ramdisk offset.(default: 0x01000000)--tags-offset                            Specify a custom tags offset.(default: 0x00000100)-n, --page-size <page size>                 Specify the nand page size(default: 2048).

fastboot boot boot.img

fastboot -c "console=ttyMSM0,115200,n8 androidboot.console=ttyMSM0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=0 androidboot.bootdevice=7824900.sdhci earlycon=msm_serial_dm,0x78af000 firmware_class.path=/vendor/firmware_mnt/image androidboot.usbconfigfs=true loop.max_part=7 buildvariant=user" -b 0x80000000 boot Z:\boot.img

2、emmc_appsboot.mbn:

bootloader镜像emmc_appsboot.mbn,与zImage一样,可以readelf解析,但不能objdump反汇编。所以我们对编译最后一步sectools.py签名前的文件lk_s.elf进行反汇编。

参照上面vmlinux反编译方式读出关键函数<aboot_init>机器码位置。

aarch64-linux-androidkernel-objdump -d lk_s.elf --start-address=0x8f63f390 --stop-address=0x8f63f8b0

lk_s.elf:     file format elf32-littlearmDisassembly of section .text:8f63f390 <aboot_init>:8f63f390:      e92d4ff0       push   {r4, r5, r6, r7, r8, r9, sl, fp, lr}8f63f394:      e28db020     add     fp, sp, #328f63f398:      e24dd024     sub     sp, sp, #36     ; 0x248f63f39c:       e3006980     movw r6, #2432      ; 0x9808f63f3a0:      e3486f76      movt   r6, #36726    ; 0x8f768f63f3a4:      e50be030     str       lr, [fp, #-48]   ; 0xffffffd08f63f3a8:      e5963000     ldr       r3, [r6]8f63f3ac:       e50b3028     str       r3, [fp, #-40]  ; 0xffffffd88f63f3b0:      ebffd709       bl        8f634fdc <target_is_emmc_boot>8f63f3b4:      e3500000     cmp    r0, #08f63f3b8:      0a00006f      beq     8f63f57c <aboot_init+0x1ec>8f63f3bc:      ebff4487       bl        8f6105e0 <mmc_page_size>8f63f3c0:      e30920d8     movw r2, #37080    ; 0x90d88f63f3c4:      e30d33dc     movw r3, #54236    ; 0xd3dc8f63f3c8:      e3482f75      movt   r2, #36725    ; 0x8f758f63f3cc:       e3483f74      movt   r3, #36724    ; 0x8f74***

LOAD off    0x00008000 vaddr 0x8f600000

0x47390=0x8f63f390 -0x8f600000+0x00008000

hexdump -s 0x47390 -n 1024 lk_s.elf

0047390 4ff0 e92d b020 e28d d024 e24d 6980 e30000473a0 6f76 e348 e030 e50b 3000 e596 3028 e50b00473b0 d709 ebff 0000 e350 006f 0a00 4487 ebff00473c0 20d8 e309 33dc e30d 2f75 e348 3f74 e34800473d0 1001 e240 0000 e582 1000 e583 424c ebff00473e0 20c8 e309 33c8 e30d 2f75 e348 3f74 e34800473f0 1001 e240 0000 e582 1000 e583 0a64 e3000047400 0f71 e348 25f6 eb00 a00d e1a0 ff4f ebff0047410 0a80 e300 0f71 e348 25f1 eb00 0c94 e3090047420 0f72 e348 f3cb ebff 4239 ebff 3086 e2800047430 7000 e1a0 3007 e3c3 0c80 e309 d003 e04d

这里机器码与反汇编码对应上了(android有相关签名验证链,一环套一环,无签名与许可不要尝试修改破解)

3、splash.img:

这个是开机画面镜像,生成工具是logo_gen.py,分析可以转多开机界面适配,多dtbo合入。

4、dtbo.img:

该镜像是设备树叠加层,官网有介绍,源码有mkdtimg工具制作和解析,该镜像只包含设备树叠加层,没有设备树,详细可以看看多开机界面适配,多dtbo合入。

5、mdtp.img:

高通源码直接复制而来,无法分析。

6、vbmeta.img:

用于安全验证,bootloader验证vbmeta的签名,再用vbmeta的key以及hash值验证dtbo/boot/system/vendor。里面格式数据可以访问https://android.googlesource.com/platform/external/avb/+/master/README.md#The-VBMeta-struct,后面的blog刷机相关的Android的安全中会用avbtool生成该镜像。

7、Linux rev 1.0 ext4 filesystem data(persist.img)

文件系统镜像

mkdir test;mount persist.img test;sudo chmod 777 test

8、Android sparse image(system.img、userdata.img、vendor.img):

system.img、userdata.img、vendor.img、persist.img都是sparse压缩文件系统镜像,目的是方便传输/刷机/存储等。想查看内容需先转换为raw格式。现在system和vendor后有追加哈希树。userdata加密后无法挂载。

simg2img system.img system_raw.img;mkdir test;mount system_raw.img test;sudo chmod 777 test

9、Super.img :

super.img是几个只读分区的合并,file读取格式可能为data,android源码有lpunpack工具分解,提示无该命令可以先make lpunpack,

lpunpack super.img

查看服务器编译的system/vendor等sparse格式镜像时,如果挂载失败,可以尝试加只读参数才能来查看:

mount -o ro system_raw.img test;

该系列第二条线就是镜像分析,本博客主要以反汇编方式分析内核镜像。后面几个blog也会分析其他文件。

android刷机方式将分析nonAB的OTA包中system.dat转换、AB的OTA包中payload.bin的转换。

刷机相关的Android的安全中将分析vbmeta,以及avbtool使用。还有如何查看SELinux规则文件,单编SELinux规则文件。

正确的刷机观中分析gpt文件,NV备份。

多开机界面,多设备树叠加层中将分析splash.img和dtbo.img镜像。

如果还有需要解析的镜像,博友可以评论提。

android镜像分析相关推荐

  1. Android x86镜像分析

    这几天学习Android,基于x86平台.先了解一下android的安装过程.在其官方网站上下载了Android的iSO,就解压出来看看,需要说明的是以下的操作都是在root用户下进行的.以下是学习过 ...

  2. Android 逆向分析大全

    转载:Android 逆向分析大全:https://www.jianshu.com/p/a12d04fc748f 1. 概述 1.1 分析步骤 通用逆向分析步骤 1. 了解该模块正向编程相关方法 2. ...

  3. Android系统性能优化(54)---Android性能分析专题

    Android性能分析专题 1.  背景:Android App优化, 要怎么做? 2.  Android App优化之性能分析工具 3.  Android App优化之提升你的App启动速度之理论基 ...

  4. 【Autopsy数字取证篇】Autopsy案例创建与镜像分析详细教程

    [Autopsy数字取证篇]Autopsy案例创建与镜像分析详细教程 Autopsy是一款非常优秀且功能强大的免费开源数字取证分析工具.-[蘇小沐] 文章目录 [Autopsy数字取证篇]Autops ...

  5. 【SA8295P 源码分析】02 - SA8295P 整包镜像分析

    [SA8295P 源码分析]02 - SA8295P 整包镜像分析 一.UFS LUNs 二.开机启动相关镜像介绍 三.QNX Host相关镜像介绍 四.Android GVM 相关镜像介绍 五.其他 ...

  6. android逆向分析概述_Android存储概述

    android逆向分析概述 Storage is this thing we are all aware of, but always take for granted. Not long ago, ...

  7. Android JNI入门第五篇——Android.mk分析

    转载请标明出处: http://blog.csdn.net/michael1112/article/details/56671708 江东橘子的博客 Android.mk文件是在使用NDK编译C代码时 ...

  8. Android多线程分析之二:Thread的实现

    Android多线程分析之二:Thread的实现 罗朝辉 (http://www.cnblogs.com/kesalin/) CC 许可,转载请注明出处 在前文<Android多线程分析之一:使 ...

  9. Android内存分析和调优(上)

    Android内存分析和调优(上) Android内存分析和调优(上) Android内存分析工具(四):adb命令 posted on 2017-09-25 19:29 时空观察者9号 阅读(... ...

最新文章

  1. log4j debug写法
  2. linux下VMware_Tools虚拟机工具的安装
  3. RedisTemplate和StringRedisTemplate使用
  4. C++工作笔记-对const_cast的理解
  5. java泛型特点_java泛型简单总结
  6. 程序员,学会这些技能让你的薪资翻倍!
  7. Java Redis 做分布式锁
  8. TensorFlow学习记录1-一些比较好的学习资源
  9. Java程序猿从笨鸟到菜鸟之(九十二)深入java虚拟机(一)——java虚拟机底层结构具体解释...
  10. 重置浏览器的css,css重置浏览器默认样式
  11. CREO:CREO软件之零件【模型】形状之拉伸、旋转、旋转混合的简介及其使用方法(图文教程)之详细攻略
  12. VAX 经常Parsing 整个项目/CPU负载过高解决办法
  13. C++算法——字幕校对问题
  14. 解决ValueError: too many values to unpack
  15. 浏览器通过原生JS实现录音功能
  16. 树莓派4B的引脚控制简单demo
  17. 修复iPhone8白屏的3种方法,可保留设备数据
  18. 《数论概论》读书笔记(第一章) 什么是数论?
  19. 全面支持 PyTorch 2.0:BladeDISC 5 月~11 月新功能发布
  20. 垃圾渗滤液处理常用的组合工艺

热门文章

  1. 花指令,LLVM简介
  2. python美食推荐系统 菜谱管理系统 django框架 购物车 网站 MySQL数据库 源码下载 计算机毕业设计
  3. cmd 运行不要显示黑色窗口
  4. X32dbg-查找MFC窗口过程函数-跟踪直到满足条件-条件断点-查看窗口句柄
  5. ACWing 2021寒假每日一题题解
  6. Htc one m7 港版5.12.708.3官方RUU系统备份
  7. 【html audio】播放音频
  8. NetworkX入门教程
  9. error: stray ‘\×××’ in program错误原因及解决方法
  10. 狂热的商城和被弃的淘宝